[Fedora-directory-users] Re:certificates

Howard Chu hyc at symas.com
Thu Jan 12 21:12:02 UTC 2006 

> From: Richard Megginson <rmeggins at redhat.com> Susan wrote:
>> >oops, you're right, I didn't think that through.  Of course.
>> >
>> >it just seems that managing CA certs on the clients would be a real pain.
>> >  
>> >
>>     
> Indeed it is, if you have to update thousands of clients with the CA 
> cert.  But then, if you have such a large deployment, you will probably 
> find it beneficial to apply for a real CA cert from Verisign or some 
> such, and use a real CA.
>   

That's why it's so important to generate a proper CA cert in the first 
place, and keep it safe. I see many people on  mailing lists talking 
about how they generated a single self-signed cert and are using it as 
their actual server cert. No matter how much time we spend explaining 
why this is a stupid idea, they still do it. I'm not a big fan of paying 
real money for a random string of bits, and even Verisign has made 
screwups in the past. Basically as long as you keep the CA's private key 
safe, there shouldn't be any problem running with your own CA cert.

> <shameless_plug_for_RHCS>
> Red Hat Certificate System has support for web based cert issuance.  It 
> supports CRL generation and has an OCSP responder.  It can generate 
> certs and automatically publish them to an LDAP server (e.g. to generate 
> the userCertificate attribute for users).
> </shameless_plug_for_RHCS>
>   

Since we're on the topic, Symas has a CA module for OpenLDAP that 
generates certs on the fly for authenticated users. Naturally since it 
executes inside slapd, the cert is automatically stored in the user's 
LDAP entry. It's been part of our Connexitor EMS suite since 1999, works 
quite painlessly.
>   
>> >Besides, is there any way within this whole FDS framework to revoke Certs?
>> >
>>     
> This issue is outside of Fedora DS.  It's more of an issue with your PK 
> infrastructure and your CA.
>
>   
>> >If the ldap server is
>> >compromised, how do I tell the clients not to trust it (or the CA or both) anymore???
>> >  
>>     

If the CA is compromised, all bets are off. Life can get ugly when the 
CA cert expires too...

>> >
>>     
> Revoke the cert on the CA, and have the CA generate a CRL.  Then, push 
> out this CRL to all of your clients.  I'm not sure how to do this with 
> openssl, but NSS provides a command line tool called crlutil that can be 
> used to install a CRL into your cert database.  
> Mozilla/Firefox/Thunderbird can do this automatically.
>   

Newer OpenSSL (Certainly 0.9.8, but possibly also 0.9.7) versions can do 
CRL checking automatically, but you still must configure a source of 
CRLs to check. It's a bit more tedious in 0.9.6 and older.

-- 
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/

More information about the Fedora-directory-users mailing list